One third of enterprise iOS devices vulnerable to app, data hijacking attacks

Researchers from FireEye found five flaws that can be exploited by rogue apps installed through the iOS enterprise provisioning system

Apple released patches for several exploits that could allow maliciously crafted applications to destroy apps that already exist on devices, access their data or hijack their traffic, but a large number of iOS devices are still vulnerable.

The vulnerabilities allow for so-called Masque attacks because they involve the impersonation of existing apps or their components. Three of them were patched in iOS version 8.1.3 that was released in January and two newer ones were patched in iOS 8.4, released Tuesday.

In order to attack iOS devices with these flaws, hackers would have to trick their owners into installing rogue apps through the enterprise provisioning system. Companies use this mechanism to deploy in-house developed apps that are not published on the official App Store.

Using enterprise provisioning and legitimate or stolen enterprise certificates, attackers could convince users to install malicious apps that are hosted on rogue websites.

Security researchers from FireEye first reported the original application Masque attack in November last year, warning that the technique can be used to replace existing apps and access their data.

Since then, they have found and reported additional vulnerabilities that allow similar attacks. One, dubbed the URL Masque, allows hijacking inter-app communications and bypassing user confirmation prompts, while another, called the Plug-in Masque, allows attackers to replace existing VPN plug-ins, hijack device traffic and prevent devices from rebooting.

The URL Masque and Plug-in Masque vulnerabilities were patched together with the original App Masque flaw in iOS 8.1.3. However, the monitoring of Web traffic from several high-profile networks revealed that one third of iOS devices on those networks still run iOS versions older than 8.1.3.

On Tuesday, the company's researchers revealed two more Masque vulnerabilities, dubbed Manifest Masque and Extension Masque, after Apple partially fixed them in iOS 8.4.

The Manifest Masque flaw can be exploited by publishing a rogue manifest file along an in-house app on a provisioning website. Apple fails to check if the bundle identifiers listed in provisioning manifest files match those of the provisioned apps, the FireEye researchers said in a blog post.

"If the XML manifest file on the website has a bundle identifier equivalent to that of another genuine app on the device, and the bundle-version in the manifest is higher than the genuine app's version, the genuine app will be demolished down to a dummy placeholder, whereas the in-house app will still be installed using its built-in bundle id," the researchers explained. "The dummy placeholder will disappear after the victim restarts the device."

Meanwhile, the Extension Masque flaw is located in the app extension feature introduced in iOS 8 and can be exploited to access another app's data or to prevent an existing app from accessing its own data.

Attackers could exploit it by creating a rogue app that registers an extension with the bundle identifier of an existing application. The extension would then gain full access to that other app's data container, according to the FireEye researchers.

While a third of iOS devices continue to be vulnerable to all Masque attacks, there are likely many more that are only vulnerable to the most recently disclosed Manifest and Extension Masque flaws. The FireEye researchers advise users to update their devices as soon as possible and to keep them up to date in the future.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesApplesecuritymobile securityFireEyeExploits / vulnerabilitiesmalware

More about AppleFireEye

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place